Improve answering machines, dns_resolve, renames

gpotter2 · gpotter2 · commit ba51704fcfc6 · 2023-10-31T13:34:04.000+01:00
diff --git a/doc/scapy/routing.rst b/doc/scapy/routing.rst
@@ -6,6 +6,7 @@ Scapy maintains its own network stack, which is independent from the one of your
 It possesses its own *interfaces list*, *routing table*, *ARP cache*, *IPv6 neighbour* cache, *nameservers* config... and so on, all of which is configurable.
 
 Here are a few examples of where this is used::
+
 - When you use ``sr()/send()``, Scapy will use internally its own routing table (``conf.route``) in order to find which interface to use, and eventually send an ARP request.
 - When using ``dns_resolve()``, Scapy uses its own nameservers list (``conf.nameservers``) to perform the request
 - etc.
diff --git a/doc/scapy/usage.rst b/doc/scapy/usage.rst
@@ -1434,28 +1434,32 @@ Visualizing the results in a list::
     >>> res.nsummary(prn=lambda s,r: r.src, lfilter=lambda s,r: r.haslayer(ISAKMP) ) 
 
 
-DNS spoof
----------
+DNS server
+----------
 
-See :class:`~scapy.layers.dns.DNS_am`::
+By default, ``dnsd`` uses a joker (IPv4 only): it answers to all unknown servers with the joker. See :class:`~scapy.layers.dns.DNS_am`::
 
-    >>> dns_spoof(iface="tap0", joker="192.168.1.1")
+    >>> dnsd(iface="tap0", match={"google.com": "1.1.1.1"}, joker="192.168.1.1")
 
-LLMNR spoof
------------
+You can also use ``relay=True`` to replace the joker behavior with a forward to a server included in ``conf.nameservers``.
+
+LLMNR server
+------------
 
 See :class:`~scapy.layers.llmnr.LLMNR_am`::
 
     >>> conf.iface = "tap0"
-    >>> llmnr_spoof(iface="tap0", from_ip=Net("10.0.0.1/24"))
+    >>> llmnrd(iface="tap0", from_ip=Net("10.0.0.1/24"))
 
-Netbios spoof
--------------
+Note that ``llmnrd`` extends the ``dnsd`` API.
+
+Netbios server
+--------------
 
 See :class:`~scapy.layers.netbios.NBNS_am`::
 
-    >>> nbns_spoof(iface="eth0")  # With local IP
-    >>> nbns_spoof(iface="eth0", ip="192.168.122.17")  # With some other IP
+    >>> nbnsd(iface="eth0")  # With local IP
+    >>> nbnsd(iface="eth0", ip="192.168.122.17")  # With some other IP
 
 Node status request (get NetbiosName from IP)
 ---------------------------------------------
diff --git a/scapy/ansmachine.py b/scapy/ansmachine.py
@@ -13,6 +13,7 @@
 
 import abc
 import functools
+import threading
 import socket
 import warnings
 
@@ -225,12 +226,14 @@ def sniff_bg(self):
 class AnsweringMachineTCP(AnsweringMachine[Packet]):
     """
     An answering machine that use the classic socket.socket to
-    answer multiple clients
+    answer multiple TCP clients
     """
+    TYPE = socket.SOCK_STREAM
+
     def parse_options(self, port=80, cls=conf.raw_layer):
         # type: (int, Type[Packet]) -> None
         self.port = port
-        self.cls = conf.raw_layer
+        self.cls = cls
 
     def close(self):
         # type: () -> None
@@ -239,7 +242,7 @@ def close(self):
     def sniff(self):
         # type: () -> None
         from scapy.supersocket import StreamSocket
-        ssock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        ssock = socket.socket(socket.AF_INET, self.TYPE)
         ssock.bind(
             (get_if_addr(self.optsniff.get("iface", conf.iface)), self.port))
         ssock.listen()
@@ -267,6 +270,19 @@ def sniff(self):
             self.close()
             ssock.close()
 
+    def sniff_bg(self):
+        # type: () -> None
+        self.sniffer = threading.Thread(target=self.sniff)  # type: ignore
+        self.sniffer.start()
+
     def make_reply(self, req, address=None):
         # type: (Packet, Optional[Any]) -> Packet
         return req
+
+
+class AnsweringMachineUDP(AnsweringMachineTCP):
+    """
+    An answering machine that use the classic socket.socket to
+    answer multiple UDP clients
+    """
+    TYPE = socket.SOCK_DGRAM
diff --git a/scapy/layers/dhcp.py b/scapy/layers/dhcp.py
@@ -593,7 +593,7 @@ def parse_options(self,
                       network="192.168.1.0/24",
                       gw="192.168.1.1",
                       nameserver=None,
-                      domain="localnet",
+                      domain=None,
                       renewal_time=60,
                       lease_time=1800):
         """
diff --git a/scapy/layers/dns.py b/scapy/layers/dns.py
@@ -1072,13 +1072,13 @@ def mysummary(self):
         name = ""
         if self.qr:
             type = "Ans"
-            if self.an and isinstance(self.an, DNSRR):
-                name = ' "%s"' % self.an[0].rdata
+            if self.an and isinstance(self.an[0], DNSRR):
+                name = ' %s' % self.an[0].rdata
         else:
             type = "Qry"
-            if self.qd and isinstance(self.qd, DNSQR):
-                name = ' "%s"' % self.qd[0].qname
-        return 'DNS %s%s ' % (type, name)
+            if self.qd and isinstance(self.qd[0], DNSQR):
+                name = ' %s' % self.qd[0].qname
+        return 'DNS %s%s' % (type, name)
 
     def post_build(self, pkt, pay):
         if isinstance(self.underlayer, TCP) and self.length is None:
@@ -1129,13 +1129,16 @@ def pre_dissect(self, s):
 
 
 @conf.commands.register
-def dns_resolve(qname, qtype="A", raw=False, verbose=1, **kwargs):
+def dns_resolve(qname, qtype="A", raw=False, verbose=1, timeout=3, **kwargs):
     """
     Perform a simple DNS resolution using conf.nameservers with caching
 
     :param qname: the name to query
     :param qtype: the type to query (default A)
     :param raw: return the whole DNS packet (default False)
+    :param verbose: show verbose errors
+    :param timeout: seconds until timeout (per server)
+    :raise TimeoutError: if no DNS servers were reached in time.
     """
     # Unify types
     qtype = DNSQR.qtype.any2i_one(None, qtype)
@@ -1149,7 +1152,7 @@ def dns_resolve(qname, qtype="A", raw=False, verbose=1, **kwargs):
     if answer:
         return answer
 
-    kwargs.setdefault("timeout", 3)
+    kwargs.setdefault("timeout", timeout)
     kwargs.setdefault("verbose", 0)
     res = None
     for nameserver in conf.nameservers:
@@ -1203,7 +1206,8 @@ def dns_resolve(qname, qtype="A", raw=False, verbose=1, **kwargs):
         # Cache it
         _dns_cache[cache_ident] = answer
         return answer
-    return None
+    else:
+        raise TimeoutError
 
 
 @conf.commands.register
@@ -1247,14 +1251,15 @@ def dyndns_del(nameserver, name, type="ALL", ttl=10):
 
 
 class DNS_am(AnsweringMachine):
-    function_name = "dns_spoof"
+    function_name = "dnsd"
     filter = "udp port 53"
-    cls = DNS  # We use this automaton for llmnr_spoof
+    cls = DNS  # We also use this automaton for llmnrd
 
     def parse_options(self, joker=None,
                       match=None,
                       srvmatch=None,
                       joker6=False,
+                      relay=False,
                       from_ip=None,
                       from_ip6=None,
                       src_ip=None,
@@ -1265,40 +1270,50 @@ def parse_options(self, joker=None,
                       Set to False to disable, None to mirror the interface's IP.
         :param joker6: default IPv6 for unresolved domains (Default: False)
                        set to False to disable, None to mirror the interface's IPv6.
+        :param relay: relay unresolved domains to conf.nameservers (Default: False).
         :param match: a dictionary of {name: val} where name is a string representing
                       a domain name (A, AAAA) and val is a tuple of 2 elements, each
-                      representing an IP or a list of IPs
+                      representing an IP or a list of IPs. If val is a single element,
+                      (A, None) is assumed.
         :param srvmatch: a dictionary of {name: (port, target)} used for SRV
         :param from_ip: an source IP to filter. Can contain a netmask
         :param from_ip6: an source IPv6 to filter. Can contain a netmask
         :param ttl: the DNS time to live (in seconds)
-        :param src_ip:
+        :param src_ip: override the source IP
         :param src_ip6:
 
         Example:
 
-            >>> dns_spoof(joker="192.168.0.2", iface="eth0")
-            >>> dns_spoof(match={
+            $ sudo iptables -I OUTPUT -p icmp --icmp-type 3/3 -j DROP
+            >>> dnsd(match={"google.com": "1.1.1.1"}, joker="192.168.0.2", iface="eth0")
+            >>> dnsd(srvmatch={
             ...     "_ldap._tcp.dc._msdcs.DOMAIN.LOCAL.": (389, "srv1.domain.local")
             ... })
         """
+        def normv(v):
+            if isinstance(v, (tuple, list)) and len(v) == 2:
+                return v
+            elif isinstance(v, str):
+                return (v, None)
+            else:
+                raise ValueError("Bad match value: '%s'" % repr(v))
+
+        def normk(k):
+            k = bytes_encode(k).lower()
+            if not k.endswith(b"."):
+                k += b"."
+            return k
         if match is None:
             self.match = {}
         else:
-            assert all(isinstance(x, (tuple, list)) for x in match.values()), (
-                "'match' values must be a tuple of 2 elements: ('<ipv4>', '<ipv6>')"
-                ". They can be None"
-            )
-            self.match = {bytes_encode(k): v for k, v in match.items()}
+            self.match = {normk(k): normv(v) for k, v in match.items()}
         if srvmatch is None:
             self.srvmatch = {}
         else:
-            assert all(isinstance(x, (tuple, list)) for x in srvmatch.values()), (
-                "'srvmatch' values must be a tuple of 2 elements: (port, 'target')"
-            )
-            self.srvmatch = {bytes_encode(k): v for k, v in srvmatch.items()}
+            self.srvmatch = {normk(k): normv(v) for k, v in srvmatch.items()}
         self.joker = joker
         self.joker6 = joker6
+        self.relay = relay
         if isinstance(from_ip, str):
             self.from_ip = Net(from_ip)
         else:
@@ -1341,51 +1356,65 @@ def make_reply(self, req):
                 if rq.qtype == 28:
                     # AAAA
                     try:
-                        rdata = self.match[rq.qname][1]
+                        rdata = self.match[rq.qname.lower()][1]
                     except KeyError:
-                        if self.joker6 is False:
-                            return
-                        rdata = self.joker6 or get_if_addr6(
-                            self.optsniff.get("iface", conf.iface)
-                        )
+                        if self.relay or self.joker6 is False:
+                            rdata = None
+                        else:
+                            rdata = self.joker6 or get_if_addr6(
+                                self.optsniff.get("iface", conf.iface)
+                            )
                 elif rq.qtype == 1:
                     # A
                     try:
-                        rdata = self.match[rq.qname][0]
+                        rdata = self.match[rq.qname.lower()][0]
                     except KeyError:
-                        if self.joker is False:
-                            return
-                        rdata = self.joker or get_if_addr(
-                            self.optsniff.get("iface", conf.iface)
-                        )
-                if rdata is None:
-                    # Ignore None
-                    return
-                # Common A and AAAA
-                if not isinstance(rdata, list):
-                    rdata = [rdata]
-                ans.extend([
-                    DNSRR(rrname=rq.qname, ttl=self.ttl, rdata=x, type=rq.qtype)
-                    for x in rdata
-                ])
+                        if self.relay or self.joker is False:
+                            rdata = None
+                        else:
+                            rdata = self.joker or get_if_addr(
+                                self.optsniff.get("iface", conf.iface)
+                            )
+                if rdata is not None:
+                    # Common A and AAAA
+                    if not isinstance(rdata, list):
+                        rdata = [rdata]
+                    ans.extend([
+                        DNSRR(rrname=rq.qname, ttl=self.ttl, rdata=x, type=rq.qtype)
+                        for x in rdata
+                    ])
+                    continue  # next
             elif rq.qtype == 33:
                 # SRV
                 try:
-                    port, target = self.srvmatch[rq.qname]
+                    port, target = self.srvmatch[rq.qname.lower()]
+                    ans.append(DNSRRSRV(
+                        rrname=rq.qname,
+                        port=port,
+                        target=target,
+                        weight=100,
+                        ttl=self.ttl
+                    ))
+                    continue  # next
                 except KeyError:
-                    return
-                ans.append(DNSRRSRV(
-                    rrname=rq.qname,
-                    port=port,
-                    target=target,
-                    weight=100,
-                    ttl=self.ttl
-                ))
-            else:
-                # Not handled
-                continue
-        # Common: All
-        if not ans:
-            return
-        resp /= self.cls(id=req.id, qr=1, qd=req.qd, an=ans)
+                    # No result
+                    pass
+            # It it arrives here, there is currently no answer
+            if self.relay:
+                # Relay mode ?
+                try:
+                    _rslv = dns_resolve(rq.qname, qtype=rq.qtype)
+                    if _rslv is not None:
+                        ans.append(_rslv)
+                        continue  # next
+                except TimeoutError:
+                    pass
+            # Error
+            break
+        else:
+            # All rq were answered
+            resp /= self.cls(id=req.id, qr=1, qd=req.qd, an=ans)
+            return resp
+        # An error happened
+        resp /= self.cls(id=req.id, qr=1, qd=req.qd, rcode=3)
         return resp
diff --git a/scapy/layers/llmnr.py b/scapy/layers/llmnr.py
@@ -14,7 +14,13 @@
 
 import struct
 
-from scapy.fields import BitEnumField, BitField, ShortField
+from scapy.fields import (
+    BitEnumField,
+    BitField,
+    DestField,
+    DestIP6Field,
+    ShortField,
+)
 from scapy.packet import Packet, bind_layers, bind_bottom_up
 from scapy.compat import orb
 from scapy.layers.inet import UDP
@@ -88,9 +94,14 @@ def dispatch_hook(cls, _pkt=None, *args, **kargs):
 bind_bottom_up(UDP, _LLMNR, sport=5355)
 bind_layers(UDP, _LLMNR, sport=5355, dport=5355)
 
+DestField.bind_addr(LLMNRQuery, _LLMNR_IPv4_mcast_addr, dport=5355)
+DestField.bind_addr(LLMNRResponse, _LLMNR_IPv4_mcast_addr, dport=5355)
+DestIP6Field.bind_addr(LLMNRQuery, _LLMNR_IPv6_mcast_Addr, dport=5355)
+DestIP6Field.bind_addr(LLMNRResponse, _LLMNR_IPv6_mcast_Addr, dport=5355)
+
 
 class LLMNR_am(DNS_am):
-    function_name = "llmnr_spoof"
+    function_name = "llmnrd"
     filter = "udp port 5355"
     cls = LLMNRQuery
 
diff --git a/scapy/layers/netbios.py b/scapy/layers/netbios.py
@@ -355,7 +355,7 @@ def post_build(self, pkt, pay):
 
 
 class NBNS_am(AnsweringMachine):
-    function_name = "nbns_spoof"
+    function_name = "nbnsd"
     filter = "udp port 137"
     sniff_options = {"store": 0}
 
diff --git a/test/answering_machines.uts b/test/answering_machines.uts
diff --git a/test/scapy/layers/dhcp.uts b/test/scapy/layers/dhcp.uts
